@aura-stack/auth 0.6.0 → 0.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/@types/index.cjs +1 -0
- package/dist/@types/index.d.ts +2 -2
- package/dist/@types/index.js +1 -0
- package/dist/assert-DaZSf4SH.cjs +3 -0
- package/dist/assert-av6s0a6t.js +3 -0
- package/dist/client/index.cjs +1 -1
- package/dist/client/index.d.ts +1 -1
- package/dist/client/index.js +1 -1
- package/dist/crypto-BF4ETYC9.cjs +1 -0
- package/dist/crypto-D6aq4c8x.js +1 -0
- package/dist/env-BG1x-kSX.js +1 -0
- package/dist/env-BhQ2k7jj.cjs +1 -0
- package/dist/errors-Czt_w1t_.js +1 -0
- package/dist/errors-DcK2ELlk.cjs +1 -0
- package/dist/identity-n3aahaEr.cjs +1 -0
- package/dist/{index-BkpwQ0l4.d.cts → index-1ADcIVGC.d.ts} +822 -355
- package/dist/index.cjs +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/dist/{logger-C59_CDMk.js → logger-BfUjjtxf.js} +1 -1
- package/dist/{logger-UnUhYL2V.cjs → logger-CVwkloPj.cjs} +1 -1
- package/dist/oauth/atlassian.d.ts +1 -1
- package/dist/oauth/bitbucket.d.ts +1 -1
- package/dist/oauth/click-up.cjs +1 -0
- package/dist/oauth/click-up.d.ts +2 -0
- package/dist/oauth/click-up.js +1 -0
- package/dist/oauth/discord.d.ts +1 -1
- package/dist/oauth/dribbble.cjs +1 -0
- package/dist/oauth/dribbble.d.ts +2 -0
- package/dist/oauth/dribbble.js +1 -0
- package/dist/oauth/dropbox.d.ts +1 -1
- package/dist/oauth/figma.d.ts +1 -1
- package/dist/oauth/github.d.ts +1 -1
- package/dist/oauth/gitlab.d.ts +1 -1
- package/dist/oauth/index.cjs +1 -1
- package/dist/oauth/index.d.ts +2 -2
- package/dist/oauth/index.js +1 -1
- package/dist/oauth/mailchimp.d.ts +1 -1
- package/dist/oauth/notion.cjs +1 -1
- package/dist/oauth/notion.d.ts +1 -1
- package/dist/oauth/notion.js +1 -1
- package/dist/oauth/pinterest.d.ts +1 -1
- package/dist/oauth/spotify.d.ts +1 -1
- package/dist/oauth/strava.d.ts +1 -1
- package/dist/oauth/twitch.cjs +1 -1
- package/dist/oauth/twitch.d.ts +1 -1
- package/dist/oauth/twitch.js +1 -1
- package/dist/oauth/x.d.ts +1 -1
- package/dist/shared/cookies.cjs +1 -0
- package/dist/shared/cookies.d.ts +1 -0
- package/dist/shared/cookies.js +1 -0
- package/dist/shared/crypto.cjs +1 -1
- package/dist/shared/crypto.d.ts +26 -2
- package/dist/shared/crypto.js +1 -1
- package/dist/shared/identity.cjs +1 -1
- package/dist/shared/identity.d.ts +2 -2
- package/dist/shared/identity.js +1 -1
- package/dist/shared/index.cjs +1 -1
- package/dist/shared/index.d.ts +1 -1
- package/dist/shared/index.js +1 -1
- package/package.json +28 -6
- package/dist/assert-B3iQSYlK.js +0 -3
- package/dist/assert-NJGroSJd.cjs +0 -3
- package/dist/crypto-Bz8nIciY.js +0 -1
- package/dist/crypto-CoXA5w_4.cjs +0 -1
- package/dist/env-bq387KyP.cjs +0 -1
- package/dist/env-nvh8QBNz.js +0 -1
- package/dist/errors-CCYPHuBO.cjs +0 -1
- package/dist/errors-DFWHOho6.js +0 -1
- package/dist/index-nqLV2t91.d.ts +0 -2279
- package/dist/index.d.cts +0 -2
- package/dist/oauth-BntNm6aE.cjs +0 -1
- package/dist/oauth-DmHy9VrB.js +0 -1
|
@@ -1,11 +1,17 @@
|
|
|
1
|
-
import { ZodObject, ZodRawShape, ZodTypeAny, z } from "zod/v4";
|
|
2
|
-
import { JWTPayload } from "@aura-stack/jose/jose";
|
|
3
|
-
import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, Prettify, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
|
|
4
1
|
import * as _$_aura_stack_router0 from "@aura-stack/router";
|
|
5
2
|
import { ClientOptions, GlobalContext } from "@aura-stack/router";
|
|
3
|
+
import { ZodObject, ZodRawShape, ZodTypeAny, infer as __Infer, z } from "zod/v4";
|
|
4
|
+
import { Type } from "arktype";
|
|
5
|
+
import { TObject, TProperties, TSchema, Type as Type$1 } from "typebox";
|
|
6
|
+
import { JWK, JWTPayload } from "@aura-stack/jose/jose";
|
|
7
|
+
import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
|
|
6
8
|
import { SerializeOptions } from "@aura-stack/router/cookie";
|
|
7
|
-
import * as
|
|
9
|
+
import * as valibot from "valibot";
|
|
10
|
+
import { AnySchema, BaseSchema, InferOutput, ObjectEntries, ObjectSchema } from "valibot";
|
|
11
|
+
import * as _$arktype_internal_variants_object_ts0 from "arktype/internal/variants/object.ts";
|
|
8
12
|
import * as _$zod_v4_core0 from "zod/v4/core";
|
|
13
|
+
import { infer as infer$1 } from "zod/v4/core";
|
|
14
|
+
import * as _$zod from "zod";
|
|
9
15
|
|
|
10
16
|
//#region src/schemas.d.ts
|
|
11
17
|
/**
|
|
@@ -72,17 +78,6 @@ declare const createJoseInstance: <DefaultUser extends User = User>(secret?: JWT
|
|
|
72
78
|
decodeJWT: (token: string, options?: DecodeJWTOptions) => Promise<TypedJWTPayload<DefaultUser>>;
|
|
73
79
|
};
|
|
74
80
|
//#endregion
|
|
75
|
-
//#region src/shared/identity.d.ts
|
|
76
|
-
declare const UserIdentity: z.ZodObject<{
|
|
77
|
-
sub: z.ZodString;
|
|
78
|
-
name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
79
|
-
image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
80
|
-
email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
|
|
81
|
-
}, z.core.$strip>;
|
|
82
|
-
type UserShape = (typeof UserIdentity)["shape"];
|
|
83
|
-
type UserIdentityType = z.infer<typeof UserIdentity>;
|
|
84
|
-
declare const createIdentity: <S extends EditableShape<UserShape>>(shape: S) => z.ZodObject<{ -readonly [P in keyof S]: S[P] }, z.core.$strip>;
|
|
85
|
-
//#endregion
|
|
86
81
|
//#region src/api/createApi.d.ts
|
|
87
82
|
declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContext) => {
|
|
88
83
|
/**
|
|
@@ -165,6 +160,43 @@ declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContex
|
|
|
165
160
|
signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
|
|
166
161
|
};
|
|
167
162
|
//#endregion
|
|
163
|
+
//#region src/shared/identity.d.ts
|
|
164
|
+
declare const UserIdentity: z.ZodObject<{
|
|
165
|
+
sub: z.ZodString;
|
|
166
|
+
name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
167
|
+
image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
168
|
+
email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
|
|
169
|
+
}, z.core.$strip>;
|
|
170
|
+
declare const UserIdentityValibot: valibot.ObjectSchema<{
|
|
171
|
+
readonly sub: valibot.StringSchema<undefined>;
|
|
172
|
+
readonly name: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
|
|
173
|
+
readonly image: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
|
|
174
|
+
readonly email: valibot.OptionalSchema<valibot.NullableSchema<valibot.SchemaWithPipe<readonly [valibot.StringSchema<undefined>, valibot.EmailAction<string, undefined>]>, undefined>, undefined>;
|
|
175
|
+
}, undefined>;
|
|
176
|
+
declare const UserIdentityArkType: _$arktype_internal_variants_object_ts0.ObjectType<{
|
|
177
|
+
sub: string;
|
|
178
|
+
name?: string | null | undefined;
|
|
179
|
+
image?: string | null | undefined;
|
|
180
|
+
email?: string | null | undefined;
|
|
181
|
+
}, {}>;
|
|
182
|
+
declare const UserIdentityTypeBox: Type$1.TObject<{
|
|
183
|
+
sub: Type$1.TString;
|
|
184
|
+
name: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
185
|
+
image: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
186
|
+
email: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
187
|
+
}>;
|
|
188
|
+
type UserShape = typeof UserIdentity.shape;
|
|
189
|
+
type UserShapeValibot = typeof UserIdentityValibot.entries;
|
|
190
|
+
type UserShapeArkType = typeof UserIdentityArkType;
|
|
191
|
+
type UserShapeTypeBox = typeof UserIdentityTypeBox.properties;
|
|
192
|
+
type IsArkType<T extends Identities> = T extends EditableShapeArkType<UserShapeArkType> ? true : false;
|
|
193
|
+
type IsZod<T extends Identities> = T extends EditableShape<UserShape> ? true : false;
|
|
194
|
+
type IsValibot<T extends Identities> = T extends EditableShapeValibot<UserShapeValibot> ? true : false;
|
|
195
|
+
type SchemaTypes = ZodObject<any> | valibot.ObjectSchema<any, undefined> | Type<{}> | Type$1.TObject;
|
|
196
|
+
type Identities = EditableShape<UserShape> | EditableShapeValibot<UserShapeValibot> | EditableShapeArkType<UserShapeArkType> | EditableShapeTypebox<UserShapeTypeBox> | EditableUser;
|
|
197
|
+
type ReturnShapeType<T> = T extends EditableShape<UserShape> ? z.ZodObject<T> : T extends EditableShapeValibot<UserShapeValibot> ? valibot.ObjectSchema<T, undefined> : T extends EditableShapeArkType<UserShapeArkType> ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? Type$1.TObject<T> : T extends EditableUser ? z.ZodObject<T> : never;
|
|
198
|
+
declare const createIdentity: <S extends Identities>(shape: S) => ReturnShapeType<S>;
|
|
199
|
+
//#endregion
|
|
168
200
|
//#region src/shared/logger.d.ts
|
|
169
201
|
/**
|
|
170
202
|
* Log message definitions organized by category.
|
|
@@ -475,6 +507,16 @@ declare const logMessages: {
|
|
|
475
507
|
declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
|
|
476
508
|
declare const createSyslogMessage: (options: SyslogOptions) => string;
|
|
477
509
|
//#endregion
|
|
510
|
+
//#region src/validator/registry.d.ts
|
|
511
|
+
declare const createSchemaRegistry: <Identity extends SchemaTypes>(config: IdentityConfig<Identity>) => {
|
|
512
|
+
parse: (data?: unknown) => Promise<any>;
|
|
513
|
+
parseAsPartial: (data?: unknown) => Promise<any>;
|
|
514
|
+
parseWithJWT: (data?: unknown) => Promise<any>;
|
|
515
|
+
schema: any;
|
|
516
|
+
schemaAsPartial: any;
|
|
517
|
+
schemaWithJWT: any;
|
|
518
|
+
};
|
|
519
|
+
//#endregion
|
|
478
520
|
//#region src/oauth/github.d.ts
|
|
479
521
|
/**
|
|
480
522
|
* @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
|
|
@@ -1044,6 +1086,73 @@ interface AtlassianProfile {
|
|
|
1044
1086
|
*/
|
|
1045
1087
|
declare const atlassian: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
|
|
1046
1088
|
//#endregion
|
|
1089
|
+
//#region src/oauth/click-up.d.ts
|
|
1090
|
+
/**
|
|
1091
|
+
* @see [Click Up - Get Authorized User](https://developer.clickup.com/reference/getauthorizeduser)
|
|
1092
|
+
*/
|
|
1093
|
+
interface ClickUpProfile {
|
|
1094
|
+
user: {
|
|
1095
|
+
id: number;
|
|
1096
|
+
username: string;
|
|
1097
|
+
email: string;
|
|
1098
|
+
color: string;
|
|
1099
|
+
profilePicture: string;
|
|
1100
|
+
initials: string;
|
|
1101
|
+
week_start_day: number;
|
|
1102
|
+
global_font_support: boolean;
|
|
1103
|
+
timezone: string;
|
|
1104
|
+
};
|
|
1105
|
+
}
|
|
1106
|
+
/**
|
|
1107
|
+
* ClickUp OAuth Provider
|
|
1108
|
+
*
|
|
1109
|
+
* @see [Click Up - Create your own app](https://help.clickup.com/hc/en-us/articles/6303422883095-Create-your-own-app-with-the-ClickUp-API)
|
|
1110
|
+
* @see [Click Up - Authentication](https://developer.clickup.com/docs/authentication)
|
|
1111
|
+
* @see [Click UP - Get Access Token](https://developer.clickup.com/reference/getaccesstoken)
|
|
1112
|
+
* @see [Click Up - Get Authorized User](https://developer.clickup.com/reference/getauthorizeduser)
|
|
1113
|
+
*/
|
|
1114
|
+
declare const clickUp: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
|
|
1115
|
+
//#endregion
|
|
1116
|
+
//#region src/oauth/dribbble.d.ts
|
|
1117
|
+
/**
|
|
1118
|
+
* @see [Dribble - User](https://developer.dribbble.com/v2/user/)
|
|
1119
|
+
*/
|
|
1120
|
+
interface DribbbleDefault {
|
|
1121
|
+
id: number;
|
|
1122
|
+
name: string;
|
|
1123
|
+
login: string;
|
|
1124
|
+
html_url: string;
|
|
1125
|
+
avatar_url: string;
|
|
1126
|
+
bio: string;
|
|
1127
|
+
location: string;
|
|
1128
|
+
links?: {
|
|
1129
|
+
web?: string;
|
|
1130
|
+
twitter?: string;
|
|
1131
|
+
};
|
|
1132
|
+
created_at: string;
|
|
1133
|
+
}
|
|
1134
|
+
interface DribbbleTeams extends DribbbleDefault {
|
|
1135
|
+
type: "Team";
|
|
1136
|
+
updated_at: string;
|
|
1137
|
+
}
|
|
1138
|
+
interface DribbbleProfile extends DribbbleDefault {
|
|
1139
|
+
type: "User";
|
|
1140
|
+
/** Not documented but available in the API response */
|
|
1141
|
+
email: string | null;
|
|
1142
|
+
can_upload_shot: boolean;
|
|
1143
|
+
pro: boolean;
|
|
1144
|
+
followers_count: number;
|
|
1145
|
+
teams: DribbbleTeams[];
|
|
1146
|
+
}
|
|
1147
|
+
/**
|
|
1148
|
+
* Dribbble OAuth provider
|
|
1149
|
+
*
|
|
1150
|
+
* @see [Dribbble - Register Application](https://dribbble.com/account/applications/new)
|
|
1151
|
+
* @see [Dribbble - OAuth](https://developer.dribbble.com/v2/oauth/)
|
|
1152
|
+
* @see [Dribbble - User](https://developer.dribbble.com/v2/user/)
|
|
1153
|
+
*/
|
|
1154
|
+
declare const dribbble: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
|
|
1155
|
+
//#endregion
|
|
1047
1156
|
//#region src/oauth/index.d.ts
|
|
1048
1157
|
declare const builtInOAuthProviders: {
|
|
1049
1158
|
readonly github: <DefaultUser extends User = {
|
|
@@ -1130,6 +1239,18 @@ declare const builtInOAuthProviders: {
|
|
|
1130
1239
|
image?: string | null | undefined;
|
|
1131
1240
|
email?: string | null | undefined;
|
|
1132
1241
|
}>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
|
|
1242
|
+
readonly clickUp: <DefaultUser extends User = {
|
|
1243
|
+
sub: string;
|
|
1244
|
+
name?: string | null | undefined;
|
|
1245
|
+
image?: string | null | undefined;
|
|
1246
|
+
email?: string | null | undefined;
|
|
1247
|
+
}>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
|
|
1248
|
+
readonly dribbble: <DefaultUser extends User = {
|
|
1249
|
+
sub: string;
|
|
1250
|
+
name?: string | null | undefined;
|
|
1251
|
+
image?: string | null | undefined;
|
|
1252
|
+
email?: string | null | undefined;
|
|
1253
|
+
}>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
|
|
1133
1254
|
};
|
|
1134
1255
|
/**
|
|
1135
1256
|
* Constructs OAuth provider configurations from an array of provider names or configurations.
|
|
@@ -1147,6 +1268,196 @@ declare const builtInOAuthProviders: {
|
|
|
1147
1268
|
declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
|
|
1148
1269
|
type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
|
|
1149
1270
|
//#endregion
|
|
1271
|
+
//#region src/@types/session.d.ts
|
|
1272
|
+
/** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
|
|
1273
|
+
type User = infer$1<typeof UserIdentity>;
|
|
1274
|
+
/**
|
|
1275
|
+
* Session data returned by the session endpoint.
|
|
1276
|
+
*/
|
|
1277
|
+
interface Session<DefaultUser extends User = User> {
|
|
1278
|
+
user: DefaultUser;
|
|
1279
|
+
expires: string;
|
|
1280
|
+
}
|
|
1281
|
+
interface CryptoSecret {
|
|
1282
|
+
sign: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
|
|
1283
|
+
encrypt: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
|
|
1284
|
+
}
|
|
1285
|
+
interface AsymmetricKeyPairFromEnv {
|
|
1286
|
+
publicKey: string;
|
|
1287
|
+
privateKey: string;
|
|
1288
|
+
}
|
|
1289
|
+
interface AsymmetricKeyPair {
|
|
1290
|
+
publicKey: CryptoKey | JWK;
|
|
1291
|
+
privateKey: CryptoKey | JWK;
|
|
1292
|
+
}
|
|
1293
|
+
/**
|
|
1294
|
+
* A symmetric secret or asymmetric key pair used for JWT operations.
|
|
1295
|
+
*
|
|
1296
|
+
* - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
|
|
1297
|
+
* - CryptoKey: Web Crypto API key, for environments that support it
|
|
1298
|
+
* - CryptoKeyPair: asymmetric signing/encryption (RS256, ES256, EdDSA, RSA-OAEP, etc.)
|
|
1299
|
+
*/
|
|
1300
|
+
type SecretKey = string | Uint8Array | CryptoKey | CryptoKeyPair | CryptoSecret | JWK | AsymmetricKeyPair;
|
|
1301
|
+
/**
|
|
1302
|
+
* @todo: add key rotation support for "SecretKey | CryptoKeyPair | [SecretKey | CryptoKeyPair, ...(SecretKey | CryptoKeyPair)[]]"
|
|
1303
|
+
*/
|
|
1304
|
+
type JWTKey = SecretKey;
|
|
1305
|
+
/**
|
|
1306
|
+
* - "signed" → standard JWS (e.g. HS256, RS256, ES256).
|
|
1307
|
+
* - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
|
|
1308
|
+
* - "sealed" → JWS nested inside JWE (signed then encrypted).
|
|
1309
|
+
*/
|
|
1310
|
+
type JWTMode = "signed" | "encrypted" | "sealed";
|
|
1311
|
+
/**
|
|
1312
|
+
* Signing algorithms for "signed" and "sealed" modes.
|
|
1313
|
+
* Symmetric: HS256 | HS384 | HS512
|
|
1314
|
+
* Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
|
|
1315
|
+
*/
|
|
1316
|
+
type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
|
|
1317
|
+
/**
|
|
1318
|
+
* Key-wrapping algorithms for "encrypted" and "sealed" modes.
|
|
1319
|
+
* Symmetric: A128KW | A192KW | A256KW | dir (direct)
|
|
1320
|
+
* ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
|
|
1321
|
+
* RSA: RSA-OAEP | RSA-OAEP-256
|
|
1322
|
+
*/
|
|
1323
|
+
type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
|
|
1324
|
+
/** Content-encryption algorithms for JWE. */
|
|
1325
|
+
type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
|
|
1326
|
+
/** Signed JWT mode configuration. */
|
|
1327
|
+
type JWTSignedMode = {
|
|
1328
|
+
mode: "signed";
|
|
1329
|
+
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1330
|
+
};
|
|
1331
|
+
/** Encrypted JWT mode configuration. */
|
|
1332
|
+
type JWTEncryptedMode = {
|
|
1333
|
+
mode: "encrypted";
|
|
1334
|
+
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1335
|
+
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
1336
|
+
};
|
|
1337
|
+
/** Signed and Encrypted JWT mode configuration. */
|
|
1338
|
+
type JWTSealedMode = {
|
|
1339
|
+
mode?: "sealed";
|
|
1340
|
+
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1341
|
+
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1342
|
+
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
1343
|
+
};
|
|
1344
|
+
/** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
|
|
1345
|
+
type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
|
|
1346
|
+
/** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
|
|
1347
|
+
type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
|
|
1348
|
+
type JWTConfig = Prettify<{
|
|
1349
|
+
/**
|
|
1350
|
+
* Token lifetime.
|
|
1351
|
+
*/
|
|
1352
|
+
maxAge?: number;
|
|
1353
|
+
/**
|
|
1354
|
+
* JWT `iss` (issuer) claim. Set this to your app's canonical URL.
|
|
1355
|
+
* @example "https://auth.example.com"
|
|
1356
|
+
*/
|
|
1357
|
+
issuer?: string;
|
|
1358
|
+
/**
|
|
1359
|
+
* JWT `aud` claim. Single value or array for multi-audience tokens.
|
|
1360
|
+
* @example ["https://api.example.com", "https://app.example.com"]
|
|
1361
|
+
*/
|
|
1362
|
+
audience?: string | string[];
|
|
1363
|
+
/**
|
|
1364
|
+
* Maximum absolute session duration in seconds.
|
|
1365
|
+
* Required for "absolute" and "sliding" strategies.
|
|
1366
|
+
* Enforced via jose's maxTokenAge against the iat claim.
|
|
1367
|
+
*/
|
|
1368
|
+
maxExpiration?: number;
|
|
1369
|
+
/**
|
|
1370
|
+
* Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
|
|
1371
|
+
*/
|
|
1372
|
+
expirationStrategy?: JWTExpirationStrategy;
|
|
1373
|
+
} & JWTConfigBase>;
|
|
1374
|
+
/**
|
|
1375
|
+
* Stateless JWT strategy.
|
|
1376
|
+
* No database required. Tokens are self-contained and cannot be revoked
|
|
1377
|
+
* before they expire — keep `jwt.maxAge` short or enable refresh tokens.
|
|
1378
|
+
*
|
|
1379
|
+
* @example
|
|
1380
|
+
* {
|
|
1381
|
+
* strategy: "jwt",
|
|
1382
|
+
* jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
|
|
1383
|
+
* refreshToken: { enabled: true, maxAge: "7d" },
|
|
1384
|
+
* }
|
|
1385
|
+
*/
|
|
1386
|
+
type StatelessStrategyConfig = {
|
|
1387
|
+
strategy?: "jwt";
|
|
1388
|
+
jwt?: JWTConfig;
|
|
1389
|
+
};
|
|
1390
|
+
/**
|
|
1391
|
+
* The session strategy. Determines which fields below are required.
|
|
1392
|
+
*
|
|
1393
|
+
* - "jwt": stateless. No database needed. JWTs are self-contained.
|
|
1394
|
+
* - "database": stateful. Every request hits the DB to validate the session.
|
|
1395
|
+
* - "hybrid": JWT transport + DB revocation. Best of both for most apps.
|
|
1396
|
+
*
|
|
1397
|
+
* @default "jwt"
|
|
1398
|
+
*/
|
|
1399
|
+
type SessionConfig = StatelessStrategyConfig;
|
|
1400
|
+
/** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
|
|
1401
|
+
interface GetStatelessSessionReturn<DefaultUser extends User = User> {
|
|
1402
|
+
session: Session<DefaultUser> | null;
|
|
1403
|
+
headers: Headers;
|
|
1404
|
+
}
|
|
1405
|
+
/**
|
|
1406
|
+
* Abstraction layer for session management.
|
|
1407
|
+
*/
|
|
1408
|
+
interface SessionStrategy<DefaultUser extends User = User> {
|
|
1409
|
+
/**
|
|
1410
|
+
* Read and validate the session from an incoming request.
|
|
1411
|
+
* Returns null if absent, invalid, or expired. Never throws on auth failure.
|
|
1412
|
+
*/
|
|
1413
|
+
getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
|
|
1414
|
+
/**
|
|
1415
|
+
* Create a session after successful authentication.
|
|
1416
|
+
* Signs the JWT / writes the DB row / sets cookies.
|
|
1417
|
+
*/
|
|
1418
|
+
createSession(session: User): Promise<string>;
|
|
1419
|
+
/**
|
|
1420
|
+
* Attempt to refresh using the refresh token cookie.
|
|
1421
|
+
* Returns null session + cookie-clearing response on any failure.
|
|
1422
|
+
*/
|
|
1423
|
+
refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
|
|
1424
|
+
session: Session<DefaultUser> | null;
|
|
1425
|
+
headers: Headers;
|
|
1426
|
+
}>;
|
|
1427
|
+
/**
|
|
1428
|
+
* Revoke a session by ID.
|
|
1429
|
+
* JWT strategy: best-effort (clears cookies, no server state).
|
|
1430
|
+
* Database / hybrid: marks row inactive.
|
|
1431
|
+
*/
|
|
1432
|
+
revokeSession(sessionId: string): Promise<void>;
|
|
1433
|
+
/**
|
|
1434
|
+
* Destroy the session attached to this request (logout).
|
|
1435
|
+
* Returns a response that clears cookies.
|
|
1436
|
+
*/
|
|
1437
|
+
destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
|
|
1438
|
+
}
|
|
1439
|
+
/** Inputs for constructing a session strategy implementation for a given identity schema. */
|
|
1440
|
+
interface CreateSessionStrategyOptions<Identity extends Identities> {
|
|
1441
|
+
config?: SessionConfig;
|
|
1442
|
+
jose: JoseInstance<FromShapeToObject<Identity> & User>;
|
|
1443
|
+
cookies: () => CookieStoreConfig;
|
|
1444
|
+
logger?: InternalLogger;
|
|
1445
|
+
identity: SchemaRegistryContext;
|
|
1446
|
+
}
|
|
1447
|
+
/** Options specialized for the JWT-backed session strategy. */
|
|
1448
|
+
interface JWTStrategyOptions<DefaultUser extends User = User> {
|
|
1449
|
+
config?: StatelessStrategyConfig;
|
|
1450
|
+
jose: JoseInstance<DefaultUser>;
|
|
1451
|
+
logger?: InternalLogger;
|
|
1452
|
+
cookies: () => CookieStoreConfig;
|
|
1453
|
+
identity: SchemaRegistryContext;
|
|
1454
|
+
}
|
|
1455
|
+
/** Minimal token issue/verify surface used by session code paths. */
|
|
1456
|
+
type JWTManager<DefaultUser extends User = User> = {
|
|
1457
|
+
createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
|
|
1458
|
+
verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
|
|
1459
|
+
};
|
|
1460
|
+
//#endregion
|
|
1150
1461
|
//#region src/@types/oauth.d.ts
|
|
1151
1462
|
/** Known query parameter names supported when building an OAuth authorization URL. */
|
|
1152
1463
|
type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
|
|
@@ -1214,7 +1525,7 @@ type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<
|
|
|
1214
1525
|
* Main configuration interface for Aura Auth.
|
|
1215
1526
|
* This is the user-facing configuration object passed to `createAuth()`.
|
|
1216
1527
|
*/
|
|
1217
|
-
|
|
1528
|
+
type AuthConfig<Identity extends Identities> = {
|
|
1218
1529
|
/**
|
|
1219
1530
|
* OAuth providers available in the authentication and authorization flows. It provides a type-inference
|
|
1220
1531
|
* for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
|
|
@@ -1245,7 +1556,7 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
|
|
|
1245
1556
|
* ]
|
|
1246
1557
|
* ```
|
|
1247
1558
|
*/
|
|
1248
|
-
oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any,
|
|
1559
|
+
oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, FromShapeToObject<Identity>>)[];
|
|
1249
1560
|
/**
|
|
1250
1561
|
* Cookie options defines the configuration for cookies used in Aura Auth.
|
|
1251
1562
|
* It includes a prefix for cookie names and flag options to determine
|
|
@@ -1269,6 +1580,27 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
|
|
|
1269
1580
|
* Secret used to sign and verify JWT tokens for session and csrf protection.
|
|
1270
1581
|
* If not provided, it will load from the environment variable `AURA_AUTH_SECRET` or `AUTH_SECRET`, but if it
|
|
1271
1582
|
* doesn't exist, it will throw an error during the initialization of the Auth module.
|
|
1583
|
+
*
|
|
1584
|
+
* > It can be a string, a Uint8Array, a CryptoKey, a CryptoKeyPair, or an object containing separate keys for
|
|
1585
|
+
* signing and encryption. It depends on the JWT mode and algorithms you choose in the session configuration.
|
|
1586
|
+
* The default mode is "sealed" (signing + encryption), so if the secret is a string or Uint8Array, it will derive
|
|
1587
|
+
* separate keys for signing and encryption using HKDF, but if you provide a CryptoKeyPair, it will required to
|
|
1588
|
+
* pass separate keys for signing and encryption in the `CryptoSecret` format.
|
|
1589
|
+
* @example
|
|
1590
|
+
* import { createSecretValue } from "@aura-stack/auth/crypto"
|
|
1591
|
+
*
|
|
1592
|
+
* secret: createSecretValue(32)
|
|
1593
|
+
*
|
|
1594
|
+
* // For asymmetric keys, generate a key pair and pass the private
|
|
1595
|
+
* import { createKeyPair } from "@aura-stack/auth/crypto"
|
|
1596
|
+
*
|
|
1597
|
+
* const signing = await createKeyPair("RS256", { extractable: true })
|
|
1598
|
+
* const encryption = await createKeyPair("RSA-OAEP-256", { extractable: true })
|
|
1599
|
+
*
|
|
1600
|
+
* secret: {
|
|
1601
|
+
* sign: signing,
|
|
1602
|
+
* encrypt: encryption,
|
|
1603
|
+
* }
|
|
1272
1604
|
*/
|
|
1273
1605
|
secret?: JWTKey;
|
|
1274
1606
|
/**
|
|
@@ -1279,45 +1611,11 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
|
|
|
1279
1611
|
* Base path for all authentication routes. Default is `/auth`.
|
|
1280
1612
|
*/
|
|
1281
1613
|
basePath?: `/${string}`;
|
|
1282
|
-
/**
|
|
1283
|
-
* Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
|
|
1284
|
-
* This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
|
|
1285
|
-
* to determine the original client IP address and protocol.
|
|
1286
|
-
*
|
|
1287
|
-
* Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
|
|
1288
|
-
* Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
|
|
1289
|
-
* inaccurate client IP logging.
|
|
1290
|
-
*
|
|
1291
|
-
* This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
|
|
1292
|
-
*
|
|
1293
|
-
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
|
|
1294
|
-
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
|
|
1295
|
-
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
|
|
1296
|
-
* @experimental
|
|
1297
|
-
*/
|
|
1298
|
-
trustedProxyHeaders?: boolean;
|
|
1299
1614
|
/**
|
|
1300
1615
|
* Logger configuration for handling authentication-related logs and errors. It can be set to `true`,
|
|
1301
1616
|
* `DEBUG=true`, `LOG_LEVEL=debug`, or a custom logger. It implements the syslog format.
|
|
1302
1617
|
*/
|
|
1303
1618
|
logger?: boolean | Logger;
|
|
1304
|
-
/**
|
|
1305
|
-
* Defines trusted origins for your application to prevent open redirect attacks.
|
|
1306
|
-
* URLs from the Referer header, Origin header, request URL, and redirectTo option
|
|
1307
|
-
* are validated against this list before redirecting.
|
|
1308
|
-
*
|
|
1309
|
-
* - **Exact URL**: `https://example.com` matches only that origin.
|
|
1310
|
-
* - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
|
|
1311
|
-
* @example
|
|
1312
|
-
* trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
|
|
1313
|
-
*
|
|
1314
|
-
*
|
|
1315
|
-
* trustedOrigins: async (request) => {
|
|
1316
|
-
* const origin = new URL(request.url).origin
|
|
1317
|
-
* return [origin, "https://admin.example.com"]
|
|
1318
|
-
* }
|
|
1319
|
-
*/
|
|
1320
|
-
trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
|
|
1321
1619
|
/**
|
|
1322
1620
|
* Defines the session management strategy for Aura Auth. It determines how sessions are created, stored, and validated.
|
|
1323
1621
|
*/
|
|
@@ -1344,36 +1642,131 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
|
|
|
1344
1642
|
* }
|
|
1345
1643
|
*/
|
|
1346
1644
|
identity?: Partial<{
|
|
1645
|
+
/**
|
|
1646
|
+
* Skip schema validation for session data, JWT payloads, and OAuth profiles.
|
|
1647
|
+
* This can be useful for performance optimization if you are certain that the
|
|
1648
|
+
* data is valid, but it can lead to security vulnerabilities if misused.
|
|
1649
|
+
* > ⚠️ WARNING: Use this option with caution.
|
|
1650
|
+
*/
|
|
1347
1651
|
skipValidation: boolean;
|
|
1348
|
-
|
|
1652
|
+
/**
|
|
1653
|
+
* Custom schema validation for user identity data. It supports any Zod, Arktype,
|
|
1654
|
+
* Valibot or Typebox schema. Use `createIdentity` helper function to create a schema
|
|
1655
|
+
* with the correct shape and inference.
|
|
1656
|
+
*/
|
|
1657
|
+
schema: ConfigSchema<Identity>;
|
|
1658
|
+
/**
|
|
1659
|
+
* Defines how unknown keys are handled during schema validation. It can be set to:
|
|
1660
|
+
* - `passthrough`: Unknown keys are allowed and included in the validated data.
|
|
1661
|
+
* - `strict`: Unknown keys will cause validation to fail with an error.
|
|
1662
|
+
* - `strip`: Unknown keys are removed from the validated data.
|
|
1663
|
+
*/
|
|
1349
1664
|
unknownKeys: "passthrough" | "strict" | "strip";
|
|
1350
1665
|
}>;
|
|
1351
1666
|
/**
|
|
1352
1667
|
* Credentials provider for username/password or similar authentication.
|
|
1353
1668
|
*/
|
|
1354
1669
|
credentials?: CredentialsProvider<Identity>;
|
|
1355
|
-
}
|
|
1670
|
+
} & TrustedProxyHeadersConfig;
|
|
1671
|
+
type TrustedProxyHeadersConfig = {
|
|
1672
|
+
/**
|
|
1673
|
+
* Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
|
|
1674
|
+
* This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
|
|
1675
|
+
* to determine the original client IP address and protocol.
|
|
1676
|
+
*
|
|
1677
|
+
* Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
|
|
1678
|
+
* Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
|
|
1679
|
+
* inaccurate client IP logging.
|
|
1680
|
+
*
|
|
1681
|
+
* This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
|
|
1682
|
+
*
|
|
1683
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
|
|
1684
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
|
|
1685
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
|
|
1686
|
+
* @experimental
|
|
1687
|
+
*/
|
|
1688
|
+
trustedProxyHeaders: true;
|
|
1689
|
+
/**
|
|
1690
|
+
* Defines trusted origins for your application to prevent open redirect attacks.
|
|
1691
|
+
* URLs from the Referer header, Origin header, request URL, and redirectTo option
|
|
1692
|
+
* are validated against this list before redirecting.
|
|
1693
|
+
*
|
|
1694
|
+
* - **Exact URL**: `https://example.com` matches only that origin.
|
|
1695
|
+
* - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
|
|
1696
|
+
*
|
|
1697
|
+
* > **⚠️ WARNING:** Ensure that the trusted origins are configured correctly to prevent open redirect vulnerabilities.
|
|
1698
|
+
* Only include origins that you control and trust.
|
|
1699
|
+
*
|
|
1700
|
+
* @example
|
|
1701
|
+
* trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
|
|
1702
|
+
*
|
|
1703
|
+
* trustedOrigins: async (request) => {
|
|
1704
|
+
* const origin = new URL(request.url).origin
|
|
1705
|
+
* return [origin, "https://admin.example.com"]
|
|
1706
|
+
* }
|
|
1707
|
+
*/
|
|
1708
|
+
trustedOrigins: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
|
|
1709
|
+
} | {
|
|
1710
|
+
/**
|
|
1711
|
+
* Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
|
|
1712
|
+
* This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
|
|
1713
|
+
* to determine the original client IP address and protocol.
|
|
1714
|
+
*
|
|
1715
|
+
* Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
|
|
1716
|
+
* Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
|
|
1717
|
+
* inaccurate client IP logging.
|
|
1718
|
+
*
|
|
1719
|
+
* This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
|
|
1720
|
+
*
|
|
1721
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
|
|
1722
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
|
|
1723
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
|
|
1724
|
+
* @experimental
|
|
1725
|
+
*/
|
|
1726
|
+
trustedProxyHeaders?: false;
|
|
1727
|
+
/**
|
|
1728
|
+
* Defines trusted origins for your application to prevent open redirect attacks.
|
|
1729
|
+
* URLs from the Referer header, Origin header, request URL, and redirectTo option
|
|
1730
|
+
* are validated against this list before redirecting.
|
|
1731
|
+
*
|
|
1732
|
+
* - **Exact URL**: `https://example.com` matches only that origin.
|
|
1733
|
+
* - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
|
|
1734
|
+
*
|
|
1735
|
+
* > **⚠️ WARNING:** Ensure that the trusted origins are configured correctly to prevent open redirect vulnerabilities.
|
|
1736
|
+
* Only include origins that you control and trust.
|
|
1737
|
+
*
|
|
1738
|
+
* @example
|
|
1739
|
+
* trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
|
|
1740
|
+
*
|
|
1741
|
+
* trustedOrigins: async (request) => {
|
|
1742
|
+
* const origin = new URL(request.url).origin
|
|
1743
|
+
* return [origin, "https://admin.example.com"]
|
|
1744
|
+
* }
|
|
1745
|
+
*
|
|
1746
|
+
*/
|
|
1747
|
+
trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
|
|
1748
|
+
};
|
|
1356
1749
|
/**
|
|
1357
1750
|
* Cookie type with __Secure- prefix, must be Secure.
|
|
1358
1751
|
* @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
|
|
1359
1752
|
*/
|
|
1360
1753
|
type SecureCookie = {
|
|
1361
1754
|
strategy: "secure";
|
|
1362
|
-
} & Prettify
|
|
1755
|
+
} & Prettify<Omit<SerializeOptions, "secure" | "encode">>;
|
|
1363
1756
|
/**
|
|
1364
1757
|
* Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
|
|
1365
1758
|
* @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
|
|
1366
1759
|
*/
|
|
1367
1760
|
type HostCookie = {
|
|
1368
1761
|
strategy: "host";
|
|
1369
|
-
} & Prettify
|
|
1762
|
+
} & Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
|
|
1370
1763
|
/**
|
|
1371
1764
|
* Standard cookie type without security prefixes.
|
|
1372
1765
|
* Can be sent over both HTTP and HTTPS connections (default in development).
|
|
1373
1766
|
*/
|
|
1374
1767
|
type StandardCookie = {
|
|
1375
1768
|
strategy?: "standard";
|
|
1376
|
-
} & Prettify
|
|
1769
|
+
} & Prettify<Omit<SerializeOptions, "encode">>;
|
|
1377
1770
|
/**
|
|
1378
1771
|
* Union type for cookie options based on the specified strategy.
|
|
1379
1772
|
* - `secure`: Cookies are only sent over HTTPS connections
|
|
@@ -1386,10 +1779,9 @@ type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
|
|
|
1386
1779
|
* - `sessionToken`: User session JWT
|
|
1387
1780
|
* - `csrfToken`: CSRF protection token
|
|
1388
1781
|
* - `state`: OAuth state parameter for CSRF protection
|
|
1389
|
-
* - `
|
|
1390
|
-
* - `
|
|
1391
|
-
* - `
|
|
1392
|
-
* - `nonce`: OpenID Connect nonce parameter
|
|
1782
|
+
* - `codeVerifier`: PKCE code verifier for authorization code flow
|
|
1783
|
+
* - `redirectURI`: OAuth callback URI
|
|
1784
|
+
* - `redirectTo`: Post-authentication redirect path
|
|
1393
1785
|
*/
|
|
1394
1786
|
type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
|
|
1395
1787
|
/** Resolved cookie names and serialization attributes for each logical auth cookie. */
|
|
@@ -1402,6 +1794,10 @@ interface CookieConfig {
|
|
|
1402
1794
|
* Prefix to be added to all cookie names. By default "aura-stack".
|
|
1403
1795
|
*/
|
|
1404
1796
|
prefix?: string;
|
|
1797
|
+
/**
|
|
1798
|
+
* Overrides for individual cookie configurations.
|
|
1799
|
+
* @see {@link CookieStoreConfig} for the structure of each cookie configuration.
|
|
1800
|
+
*/
|
|
1405
1801
|
overrides?: Partial<CookieStoreConfig>;
|
|
1406
1802
|
}
|
|
1407
1803
|
/**
|
|
@@ -1454,8 +1850,9 @@ interface InternalLogger {
|
|
|
1454
1850
|
* Identity validation settings used when building session strategy and OAuth profile mapping.
|
|
1455
1851
|
* Controls the Zod schema and how unknown keys are handled on user objects.
|
|
1456
1852
|
*/
|
|
1457
|
-
interface IdentityConfig<Schema extends
|
|
1853
|
+
interface IdentityConfig<Schema extends SchemaTypes = typeof UserIdentity> {
|
|
1458
1854
|
schema?: Schema;
|
|
1855
|
+
schemaAsPartial?: Schema;
|
|
1459
1856
|
skipValidation?: boolean;
|
|
1460
1857
|
unknownKeys?: "passthrough" | "strict" | "strip";
|
|
1461
1858
|
}
|
|
@@ -1485,14 +1882,14 @@ interface CredentialsProviderContext<T> {
|
|
|
1485
1882
|
/**
|
|
1486
1883
|
* Interface for the credentials provider.
|
|
1487
1884
|
*/
|
|
1488
|
-
interface CredentialsProvider<Identity extends
|
|
1885
|
+
interface CredentialsProvider<Identity extends Identities> {
|
|
1489
1886
|
hash?: (password: string, salt?: string, iterations?: number) => Promise<string>;
|
|
1490
1887
|
verify?: (password: string, hashedPassword: string) => Promise<boolean>;
|
|
1491
1888
|
/**
|
|
1492
1889
|
* Authenticates a user using credentials.
|
|
1493
1890
|
* Must return a User object or the identity type if the identity schema is provided.
|
|
1494
1891
|
*/
|
|
1495
|
-
authorize: (ctx: CredentialsProviderContext<CredentialsPayload>) => Promise<
|
|
1892
|
+
authorize: (ctx: CredentialsProviderContext<CredentialsPayload>) => Promise<FromShapeToObject<Identity> | null> | FromShapeToObject<Identity> | null;
|
|
1496
1893
|
}
|
|
1497
1894
|
/**
|
|
1498
1895
|
* Runtime context passed into auth actions and API handlers: OAuth map, cookies, JWT, session strategy, trusted origins, etc.
|
|
@@ -1510,11 +1907,12 @@ interface RouterGlobalContext<DefaultUser extends User = User> {
|
|
|
1510
1907
|
trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
|
|
1511
1908
|
logger?: InternalLogger;
|
|
1512
1909
|
sessionStrategy: SessionStrategy<DefaultUser>;
|
|
1513
|
-
identity:
|
|
1514
|
-
|
|
1515
|
-
|
|
1516
|
-
|
|
1517
|
-
|
|
1910
|
+
identity: SchemaRegistryContext;
|
|
1911
|
+
}
|
|
1912
|
+
interface SchemaRegistryContext {
|
|
1913
|
+
schemaRegistry: ReturnType<typeof createSchemaRegistry>;
|
|
1914
|
+
skipValidation?: boolean;
|
|
1915
|
+
unknownKeys: "passthrough" | "strict" | "strip";
|
|
1518
1916
|
}
|
|
1519
1917
|
/**
|
|
1520
1918
|
* Internal runtime configuration used within Aura Auth after initialization.
|
|
@@ -1525,8 +1923,17 @@ type AuthRuntimeConfig<DefaultUser extends User = User> = RouterGlobalContext<De
|
|
|
1525
1923
|
* Public auth instance: programmatic {@link AuthAPI}, {@link JoseInstance}, and HTTP {@link AuthClient} handlers.
|
|
1526
1924
|
*/
|
|
1527
1925
|
interface AuthInstance<DefaultUser extends User = User> {
|
|
1926
|
+
/**
|
|
1927
|
+
* Programmatic API for authentication actions (getSession, signIn, signOut, etc.) that can be used in server-side contexts or API routes.
|
|
1928
|
+
*/
|
|
1528
1929
|
api: AuthAPI<DefaultUser>;
|
|
1930
|
+
/**
|
|
1931
|
+
* JOSE helper functions for signin, encryption and verification of JWTs.
|
|
1932
|
+
*/
|
|
1529
1933
|
jose: JoseInstance<DefaultUser>;
|
|
1934
|
+
/**
|
|
1935
|
+
* HTTP handlers for mounting on a router or server.
|
|
1936
|
+
*/
|
|
1530
1937
|
handlers: {
|
|
1531
1938
|
GET: (request: Request) => Response | Promise<Response>;
|
|
1532
1939
|
POST: (request: Request) => Response | Promise<Response>;
|
|
@@ -1537,199 +1944,16 @@ interface AuthInstance<DefaultUser extends User = User> {
|
|
|
1537
1944
|
/**
|
|
1538
1945
|
* Extended context used inside the library with both secure and standard cookie materializations.
|
|
1539
1946
|
*/
|
|
1540
|
-
type InternalContext<Identity extends
|
|
1947
|
+
type InternalContext<Identity extends Identities> = RouterGlobalContext<FromShapeToObject<Identity> & User> & {
|
|
1541
1948
|
cookieConfig: {
|
|
1542
1949
|
secure: CookieStoreConfig;
|
|
1543
1950
|
standard: CookieStoreConfig;
|
|
1544
1951
|
};
|
|
1545
1952
|
};
|
|
1546
1953
|
//#endregion
|
|
1547
|
-
//#region src/@types/session.d.ts
|
|
1548
|
-
/** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
|
|
1549
|
-
type User = UserIdentityType;
|
|
1550
|
-
/**
|
|
1551
|
-
* Session data returned by the session endpoint.
|
|
1552
|
-
*/
|
|
1553
|
-
interface Session<DefaultUser extends User = User> {
|
|
1554
|
-
user: DefaultUser;
|
|
1555
|
-
expires: string;
|
|
1556
|
-
}
|
|
1557
|
-
/**
|
|
1558
|
-
* A symmetric secret or asymmetric key pair used for JWT operations.
|
|
1559
|
-
*
|
|
1560
|
-
* - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
|
|
1561
|
-
* - CryptoKey: Web Crypto API key, for environments that support it
|
|
1562
|
-
* - KeyPair: asymmetric signing (RS256, ES256, EdDSA, etc.)
|
|
1563
|
-
*/
|
|
1564
|
-
type SecretKey = string | Uint8Array | CryptoKey;
|
|
1565
|
-
/** Asymmetric key pair for signing or key agreement (Web Crypto `CryptoKey` pair). */
|
|
1566
|
-
interface KeyPair {
|
|
1567
|
-
privateKey: CryptoKey;
|
|
1568
|
-
publicKey: CryptoKey;
|
|
1569
|
-
}
|
|
1570
|
-
/**
|
|
1571
|
-
* @todo: add key rotation support for "SecretKey | KeyPair | [SecretKey | KeyPair, ...(SecretKey | KeyPair)[]]"
|
|
1572
|
-
*/
|
|
1573
|
-
type JWTKey = SecretKey;
|
|
1574
|
-
/**
|
|
1575
|
-
* - "signed" → standard JWS (e.g. HS256, RS256, ES256).
|
|
1576
|
-
* - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
|
|
1577
|
-
* - "sealed" → JWS nested inside JWE (signed then encrypted).
|
|
1578
|
-
*/
|
|
1579
|
-
type JWTMode = "signed" | "encrypted" | "sealed";
|
|
1580
|
-
/**
|
|
1581
|
-
* Signing algorithms for "signed" and "sealed" modes.
|
|
1582
|
-
* Symmetric: HS256 | HS384 | HS512
|
|
1583
|
-
* Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
|
|
1584
|
-
*/
|
|
1585
|
-
type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
|
|
1586
|
-
/**
|
|
1587
|
-
* Key-wrapping algorithms for "encrypted" and "sealed" modes.
|
|
1588
|
-
* Symmetric: A128KW | A192KW | A256KW | dir (direct)
|
|
1589
|
-
* ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
|
|
1590
|
-
* RSA: RSA-OAEP | RSA-OAEP-256
|
|
1591
|
-
*/
|
|
1592
|
-
type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
|
|
1593
|
-
/** Content-encryption algorithms for JWE. */
|
|
1594
|
-
type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
|
|
1595
|
-
/** Signed JWT mode configuration. */
|
|
1596
|
-
type JWTSignedMode = {
|
|
1597
|
-
mode: "signed";
|
|
1598
|
-
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1599
|
-
};
|
|
1600
|
-
/** Encrypted JWT mode configuration. */
|
|
1601
|
-
type JWTEncryptedMode = {
|
|
1602
|
-
mode: "encrypted";
|
|
1603
|
-
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1604
|
-
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
1605
|
-
};
|
|
1606
|
-
/** Signed and Encrypted JWT mode configuration. */
|
|
1607
|
-
type JWTSealedMode = {
|
|
1608
|
-
mode?: "sealed";
|
|
1609
|
-
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1610
|
-
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1611
|
-
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
1612
|
-
};
|
|
1613
|
-
/** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
|
|
1614
|
-
type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
|
|
1615
|
-
/** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
|
|
1616
|
-
type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
|
|
1617
|
-
type JWTConfig = {
|
|
1618
|
-
/**
|
|
1619
|
-
* Token lifetime.
|
|
1620
|
-
*/
|
|
1621
|
-
maxAge?: number;
|
|
1622
|
-
/**
|
|
1623
|
-
* JWT `iss` (issuer) claim. Set this to your app's canonical URL.
|
|
1624
|
-
* @example "https://auth.example.com"
|
|
1625
|
-
*/
|
|
1626
|
-
issuer?: string;
|
|
1627
|
-
/**
|
|
1628
|
-
* JWT `aud` claim. Single value or array for multi-audience tokens.
|
|
1629
|
-
* @example ["https://api.example.com", "https://app.example.com"]
|
|
1630
|
-
*/
|
|
1631
|
-
audience?: string | string[];
|
|
1632
|
-
/**
|
|
1633
|
-
* Maximum absolute session duration in seconds.
|
|
1634
|
-
* Required for "absolute" and "sliding" strategies.
|
|
1635
|
-
* Enforced via jose's maxTokenAge against the iat claim.
|
|
1636
|
-
*/
|
|
1637
|
-
maxExpiration?: number;
|
|
1638
|
-
/**
|
|
1639
|
-
* Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
|
|
1640
|
-
*/
|
|
1641
|
-
expirationStrategy?: JWTExpirationStrategy;
|
|
1642
|
-
} & JWTConfigBase;
|
|
1643
|
-
/**
|
|
1644
|
-
* Stateless JWT strategy.
|
|
1645
|
-
* No database required. Tokens are self-contained and cannot be revoked
|
|
1646
|
-
* before they expire — keep `jwt.maxAge` short or enable refresh tokens.
|
|
1647
|
-
*
|
|
1648
|
-
* @example
|
|
1649
|
-
* {
|
|
1650
|
-
* strategy: "jwt",
|
|
1651
|
-
* jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
|
|
1652
|
-
* refreshToken: { enabled: true, maxAge: "7d" },
|
|
1653
|
-
* }
|
|
1654
|
-
*/
|
|
1655
|
-
type StatelessStrategyConfig = {
|
|
1656
|
-
strategy?: "jwt";
|
|
1657
|
-
jwt?: JWTConfig;
|
|
1658
|
-
};
|
|
1659
|
-
/**
|
|
1660
|
-
* The session strategy. Determines which fields below are required.
|
|
1661
|
-
*
|
|
1662
|
-
* - "jwt": stateless. No database needed. JWTs are self-contained.
|
|
1663
|
-
* - "database": stateful. Every request hits the DB to validate the session.
|
|
1664
|
-
* - "hybrid": JWT transport + DB revocation. Best of both for most apps.
|
|
1665
|
-
*
|
|
1666
|
-
* @default "jwt"
|
|
1667
|
-
*/
|
|
1668
|
-
type SessionConfig = StatelessStrategyConfig;
|
|
1669
|
-
/** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
|
|
1670
|
-
interface GetStatelessSessionReturn<DefaultUser extends User = User> {
|
|
1671
|
-
session: Session<DefaultUser> | null;
|
|
1672
|
-
headers: Headers;
|
|
1673
|
-
}
|
|
1674
|
-
/**
|
|
1675
|
-
* Abstraction layer for session management.
|
|
1676
|
-
*/
|
|
1677
|
-
interface SessionStrategy<DefaultUser extends User = User> {
|
|
1678
|
-
/**
|
|
1679
|
-
* Read and validate the session from an incoming request.
|
|
1680
|
-
* Returns null if absent, invalid, or expired. Never throws on auth failure.
|
|
1681
|
-
*/
|
|
1682
|
-
getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
|
|
1683
|
-
/**
|
|
1684
|
-
* Create a session after successful authentication.
|
|
1685
|
-
* Signs the JWT / writes the DB row / sets cookies.
|
|
1686
|
-
*/
|
|
1687
|
-
createSession(session: User): Promise<string>;
|
|
1688
|
-
/**
|
|
1689
|
-
* Attempt to refresh using the refresh token cookie.
|
|
1690
|
-
* Returns null session + cookie-clearing response on any failure.
|
|
1691
|
-
*/
|
|
1692
|
-
refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
|
|
1693
|
-
session: Session<DefaultUser> | null;
|
|
1694
|
-
headers: Headers;
|
|
1695
|
-
}>;
|
|
1696
|
-
/**
|
|
1697
|
-
* Revoke a session by ID.
|
|
1698
|
-
* JWT strategy: best-effort (clears cookies, no server state).
|
|
1699
|
-
* Database / hybrid: marks row inactive.
|
|
1700
|
-
*/
|
|
1701
|
-
revokeSession(sessionId: string): Promise<void>;
|
|
1702
|
-
/**
|
|
1703
|
-
* Destroy the session attached to this request (logout).
|
|
1704
|
-
* Returns a response that clears cookies.
|
|
1705
|
-
*/
|
|
1706
|
-
destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
|
|
1707
|
-
}
|
|
1708
|
-
/** Inputs for constructing a session strategy implementation for a given identity schema. */
|
|
1709
|
-
interface CreateSessionStrategyOptions<Identity extends EditableShape<UserShape>> {
|
|
1710
|
-
config?: SessionConfig;
|
|
1711
|
-
jose: JoseInstance<ShapeToObject<Identity> & User>;
|
|
1712
|
-
cookies: () => CookieStoreConfig;
|
|
1713
|
-
logger?: InternalLogger;
|
|
1714
|
-
identity: IdentityConfig;
|
|
1715
|
-
}
|
|
1716
|
-
/** Options specialized for the JWT-backed session strategy. */
|
|
1717
|
-
interface JWTStrategyOptions<DefaultUser extends User = User> {
|
|
1718
|
-
config?: StatelessStrategyConfig;
|
|
1719
|
-
jose: JoseInstance<DefaultUser>;
|
|
1720
|
-
logger?: InternalLogger;
|
|
1721
|
-
cookies: () => CookieStoreConfig;
|
|
1722
|
-
identity: IdentityConfig;
|
|
1723
|
-
}
|
|
1724
|
-
/** Minimal token issue/verify surface used by session code paths. */
|
|
1725
|
-
type JWTManager<DefaultUser extends User = User> = {
|
|
1726
|
-
createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
|
|
1727
|
-
verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
|
|
1728
|
-
};
|
|
1729
|
-
//#endregion
|
|
1730
1954
|
//#region src/@types/utility.d.ts
|
|
1731
1955
|
/** Expands intersection types into a single flat object type for readable editor hints. */
|
|
1732
|
-
type Prettify
|
|
1956
|
+
type Prettify<T> = { [K in keyof T]: T[K] };
|
|
1733
1957
|
/**
|
|
1734
1958
|
* A string that must be one of the literals in `T`, or any other string (`U`).
|
|
1735
1959
|
* Useful for autocomplete on known keys while still allowing custom values.
|
|
@@ -1739,33 +1963,97 @@ type LiteralUnion<T extends U, U = string> = T | (U & Record<never, never>);
|
|
|
1739
1963
|
* Transforms a Zod raw shape so nested `ZodObject` fields become editable (same structure, for config authoring).
|
|
1740
1964
|
*/
|
|
1741
1965
|
type EditableShape<T extends ZodRawShape> = { [K in keyof T]: T[K] extends ZodObject<infer Inner extends ZodRawShape> ? ZodObject<EditableShape<Inner>> : ZodTypeAny };
|
|
1966
|
+
type EditableShapeZod<T extends ZodRawShape> = EditableShape<T>;
|
|
1967
|
+
type AnyShape = Record<string, AnySchema>;
|
|
1968
|
+
type EditableShapeValibot<T extends ObjectEntries> = { [K in keyof T]: T[K] extends ObjectSchema<infer Inner extends AnyShape, undefined> ? ObjectSchema<EditableShapeValibot<Inner>, undefined> : BaseSchema<any, any, any> };
|
|
1969
|
+
type EditableShapeTypebox<T extends TProperties> = { [K in keyof T]: T[K] extends TObject ? Wrap<EditableShapeTypebox<T[K]["properties"]>> : TSchema };
|
|
1970
|
+
type EditableUser = { [K in keyof User]: any };
|
|
1971
|
+
type ConfigSchema<T extends Identities> = IsZod<T> extends true ? ZodObject<T & ZodRawShape> : T extends EditableShapeValibot<UserShapeValibot> ? ObjectSchema<T & ObjectEntries, undefined> : IsArkType<T> extends true ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? TObject<T & TProperties> : never;
|
|
1972
|
+
type ValibotShapeToObject<S extends ObjectEntries> = Merge<InferOutput<ObjectSchema<S, undefined>>, User>;
|
|
1973
|
+
type ArktypeShapeToObject<S extends Type> = S extends Type<infer Shape> ? Wrap<Merge<Shape, User>> : never;
|
|
1974
|
+
type TypeboxShapeToObject<S> = Wrap<Merge<S, User>>;
|
|
1975
|
+
type EditableShapeArkType<T extends Type> = T extends Type<infer Shape> ? Type<{ [K in keyof Shape]: any }> : never;
|
|
1742
1976
|
/** Merges type `B` over `A`, replacing overlapping keys with `B`. */
|
|
1743
1977
|
type Merge<A, B> = Omit<A, keyof B> & B;
|
|
1744
1978
|
/**
|
|
1745
1979
|
* Infers the runtime object type from a Zod `shape` and intersects it with {@link User}
|
|
1746
1980
|
* so identity fields always include the base user contract.
|
|
1747
1981
|
*/
|
|
1748
|
-
type
|
|
1982
|
+
type ZodShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<__Infer<ZodObject<S>>, User>;
|
|
1983
|
+
type FromShapeToObject<S> = S extends ZodRawShape ? ZodShapeToObject<S> : S extends ObjectEntries ? ValibotShapeToObject<S> : S extends Type ? ArktypeShapeToObject<S> : S extends TProperties ? TypeboxShapeToObject<S> : S extends User ? S : never;
|
|
1749
1984
|
/** Recursively makes every property required. */
|
|
1750
1985
|
type DeepRequired<T> = { [K in keyof T]-?: T[K] extends object ? DeepRequired<T[K]> : T[K] };
|
|
1751
1986
|
/** Recursively makes every property optional. */
|
|
1752
1987
|
type DeepPartial<T> = { [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P] };
|
|
1753
|
-
/**
|
|
1754
|
-
type
|
|
1755
|
-
/**
|
|
1756
|
-
type
|
|
1757
|
-
|
|
1758
|
-
|
|
1988
|
+
/** Wraps a type in an object with the same keys. */
|
|
1989
|
+
type Wrap<T> = T extends any ? { [K in keyof T]: T[K] } : never;
|
|
1990
|
+
/**
|
|
1991
|
+
* Infers the user type from an {@link AuthInstance} config, or falls back to {@link User}.
|
|
1992
|
+
* @example
|
|
1993
|
+
* const auth = createAuth({
|
|
1994
|
+
* oauth: [],
|
|
1995
|
+
* identity: UserIdentity.extend({
|
|
1996
|
+
* role: z.string().nullable().optional(),
|
|
1997
|
+
* username: z.string().optional(),
|
|
1998
|
+
* })
|
|
1999
|
+
* })
|
|
2000
|
+
*
|
|
2001
|
+
* type User = InferUser<typeof auth>
|
|
2002
|
+
*/
|
|
2003
|
+
type InferUser<Config extends AuthInstance> = Config extends AuthInstance<infer Identity> ? Prettify<Identity> : User;
|
|
2004
|
+
/**
|
|
2005
|
+
* Infers the session type from an {@link AuthInstance} config.
|
|
2006
|
+
* @example
|
|
2007
|
+
* const auth = createAuth({
|
|
2008
|
+
* oauth: [],
|
|
2009
|
+
* identity: UserIdentity.extend({
|
|
2010
|
+
* role: z.string().nullable().optional(),
|
|
2011
|
+
* username: z.string().optional(),
|
|
2012
|
+
* })
|
|
2013
|
+
* })
|
|
2014
|
+
*
|
|
2015
|
+
* type Session = InferSession<typeof auth>
|
|
2016
|
+
*/
|
|
2017
|
+
type InferSession<Config extends AuthInstance> = Prettify<Session<Wrap<InferUser<Config>>>>;
|
|
2018
|
+
/**
|
|
2019
|
+
* Shorthand for a Zod object’s `.shape` property.
|
|
2020
|
+
*/
|
|
2021
|
+
type InferZodShape<T extends ZodObject> = T["shape"];
|
|
2022
|
+
/**
|
|
2023
|
+
* Infers the user type from a Zod identity schema, or falls back to {@link User}.
|
|
2024
|
+
* @example
|
|
2025
|
+
* const schema = z.object({
|
|
2026
|
+
* sub: z.string(),
|
|
2027
|
+
* role: z.string().nullable().optional(),
|
|
2028
|
+
* username: z.string().optional(),
|
|
2029
|
+
* })
|
|
2030
|
+
*
|
|
2031
|
+
* type User = UserFrom<typeof schema>
|
|
2032
|
+
*/
|
|
2033
|
+
type UserFrom<T extends ZodObject> = Prettify<ZodShapeToObject<InferZodShape<T>>>;
|
|
2034
|
+
/**
|
|
2035
|
+
* Infers the session type from a Zod identity schema.
|
|
2036
|
+
* @example
|
|
2037
|
+
* const schema = z.object({
|
|
2038
|
+
* sub: z.string(),
|
|
2039
|
+
* role: z.string().nullable().optional(),
|
|
2040
|
+
* username: z.string().optional(),
|
|
2041
|
+
* })
|
|
2042
|
+
*
|
|
2043
|
+
* type Session = SessionFrom<typeof schema>
|
|
2044
|
+
*/
|
|
2045
|
+
type SessionFrom<T extends ZodObject> = Wrap<Session<Wrap<UserFrom<T>>>>;
|
|
1759
2046
|
/**
|
|
1760
2047
|
* HTTP `Response` with `json()` typed to resolve to `Body` (defaults to `unknown`).
|
|
1761
2048
|
*/
|
|
1762
|
-
type AuthResponse<Body = unknown> = Prettify
|
|
2049
|
+
type AuthResponse<Body = unknown> = Prettify<Omit<Response, "json"> & {
|
|
1763
2050
|
json(): Promise<Body>;
|
|
1764
2051
|
}>;
|
|
2052
|
+
type RequiredKeys<Obj extends object, Keys extends keyof Obj = keyof Obj> = Wrap<{ [K in Keys]-?: Obj[K] } & Omit<Obj, Keys>>;
|
|
1765
2053
|
//#endregion
|
|
1766
2054
|
//#region src/createAuth.d.ts
|
|
1767
|
-
declare const createAuthInstance: <Identity extends
|
|
1768
|
-
handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"
|
|
2055
|
+
declare const createAuthInstance: <Identity extends Identities>(authConfig: AuthConfig<Identity>) => {
|
|
2056
|
+
handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"/signIn/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
1769
2057
|
schemas?: {
|
|
1770
2058
|
params: _$zod.ZodObject<{
|
|
1771
2059
|
oauth: _$zod.ZodEnum<{
|
|
@@ -1784,6 +2072,8 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
|
|
|
1784
2072
|
notion: "notion";
|
|
1785
2073
|
dropbox: "dropbox";
|
|
1786
2074
|
atlassian: "atlassian";
|
|
2075
|
+
clickUp: "clickUp";
|
|
2076
|
+
dribbble: "dribbble";
|
|
1787
2077
|
}>;
|
|
1788
2078
|
}, _$zod_v4_core0.$strip>;
|
|
1789
2079
|
searchParams: _$zod.ZodObject<{
|
|
@@ -1791,17 +2081,85 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
|
|
|
1791
2081
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
1792
2082
|
}, _$zod_v4_core0.$strip>;
|
|
1793
2083
|
} | undefined;
|
|
1794
|
-
}
|
|
2084
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signIn/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
2085
|
+
params: _$zod.ZodObject<{
|
|
2086
|
+
oauth: _$zod.ZodEnum<{
|
|
2087
|
+
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2088
|
+
github: "github";
|
|
2089
|
+
bitbucket: "bitbucket";
|
|
2090
|
+
figma: "figma";
|
|
2091
|
+
discord: "discord";
|
|
2092
|
+
gitlab: "gitlab";
|
|
2093
|
+
spotify: "spotify";
|
|
2094
|
+
x: "x";
|
|
2095
|
+
strava: "strava";
|
|
2096
|
+
mailchimp: "mailchimp";
|
|
2097
|
+
pinterest: "pinterest";
|
|
2098
|
+
twitch: "twitch";
|
|
2099
|
+
notion: "notion";
|
|
2100
|
+
dropbox: "dropbox";
|
|
2101
|
+
atlassian: "atlassian";
|
|
2102
|
+
clickUp: "clickUp";
|
|
2103
|
+
dribbble: "dribbble";
|
|
2104
|
+
}>;
|
|
2105
|
+
}, _$zod_v4_core0.$strip>;
|
|
2106
|
+
searchParams: _$zod.ZodObject<{
|
|
2107
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2108
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2109
|
+
}, _$zod_v4_core0.$strip>;
|
|
2110
|
+
}>>) => Promise<Prettify<Omit<Response, "json"> & {
|
|
2111
|
+
json(): Promise<{
|
|
2112
|
+
success: true;
|
|
2113
|
+
redirect: boolean;
|
|
2114
|
+
signInURL: string;
|
|
2115
|
+
}>;
|
|
2116
|
+
}> | Prettify<Omit<Response, "json"> & {
|
|
2117
|
+
json(): Promise<{
|
|
2118
|
+
success: false;
|
|
2119
|
+
redirect: false;
|
|
2120
|
+
signInURL: null;
|
|
2121
|
+
}>;
|
|
2122
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
1795
2123
|
schemas?: {
|
|
1796
2124
|
body: _$zod.ZodObject<{
|
|
1797
2125
|
username: _$zod.ZodString;
|
|
1798
2126
|
password: _$zod.ZodString;
|
|
1799
2127
|
}, _$zod_v4_core0.$strip>;
|
|
1800
2128
|
searchParams: _$zod.ZodObject<{
|
|
2129
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
1801
2130
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
1802
2131
|
}, _$zod_v4_core0.$strip>;
|
|
1803
2132
|
} | undefined;
|
|
1804
|
-
}
|
|
2133
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
2134
|
+
body: _$zod.ZodObject<{
|
|
2135
|
+
username: _$zod.ZodString;
|
|
2136
|
+
password: _$zod.ZodString;
|
|
2137
|
+
}, _$zod_v4_core0.$strip>;
|
|
2138
|
+
searchParams: _$zod.ZodObject<{
|
|
2139
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2140
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2141
|
+
}, _$zod_v4_core0.$strip>;
|
|
2142
|
+
}>>) => Promise<Prettify<Omit<Response, "json"> & {
|
|
2143
|
+
json(): Promise<{
|
|
2144
|
+
success: true;
|
|
2145
|
+
redirect: true;
|
|
2146
|
+
redirectURL: null;
|
|
2147
|
+
} | {
|
|
2148
|
+
success: true;
|
|
2149
|
+
redirect: false;
|
|
2150
|
+
redirectURL: string;
|
|
2151
|
+
} | {
|
|
2152
|
+
success: true;
|
|
2153
|
+
redirect: false;
|
|
2154
|
+
redirectURL: null;
|
|
2155
|
+
}>;
|
|
2156
|
+
}> | Prettify<Omit<Response, "json"> & {
|
|
2157
|
+
json(): Promise<{
|
|
2158
|
+
success: false;
|
|
2159
|
+
redirect: false;
|
|
2160
|
+
redirectURL: null;
|
|
2161
|
+
}>;
|
|
2162
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"/callback/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
1805
2163
|
schemas?: {
|
|
1806
2164
|
params: _$zod.ZodObject<{
|
|
1807
2165
|
oauth: _$zod.ZodEnum<{
|
|
@@ -1820,6 +2178,8 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
|
|
|
1820
2178
|
notion: "notion";
|
|
1821
2179
|
dropbox: "dropbox";
|
|
1822
2180
|
atlassian: "atlassian";
|
|
2181
|
+
clickUp: "clickUp";
|
|
2182
|
+
dribbble: "dribbble";
|
|
1823
2183
|
}>;
|
|
1824
2184
|
}, _$zod_v4_core0.$strip>;
|
|
1825
2185
|
searchParams: _$zod.ZodObject<{
|
|
@@ -1827,30 +2187,139 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
|
|
|
1827
2187
|
state: _$zod.ZodString;
|
|
1828
2188
|
}, _$zod_v4_core0.$strip>;
|
|
1829
2189
|
} | undefined;
|
|
1830
|
-
}
|
|
2190
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/callback/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
2191
|
+
params: _$zod.ZodObject<{
|
|
2192
|
+
oauth: _$zod.ZodEnum<{
|
|
2193
|
+
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2194
|
+
github: "github";
|
|
2195
|
+
bitbucket: "bitbucket";
|
|
2196
|
+
figma: "figma";
|
|
2197
|
+
discord: "discord";
|
|
2198
|
+
gitlab: "gitlab";
|
|
2199
|
+
spotify: "spotify";
|
|
2200
|
+
x: "x";
|
|
2201
|
+
strava: "strava";
|
|
2202
|
+
mailchimp: "mailchimp";
|
|
2203
|
+
pinterest: "pinterest";
|
|
2204
|
+
twitch: "twitch";
|
|
2205
|
+
notion: "notion";
|
|
2206
|
+
dropbox: "dropbox";
|
|
2207
|
+
atlassian: "atlassian";
|
|
2208
|
+
clickUp: "clickUp";
|
|
2209
|
+
dribbble: "dribbble";
|
|
2210
|
+
}>;
|
|
2211
|
+
}, _$zod_v4_core0.$strip>;
|
|
2212
|
+
searchParams: _$zod.ZodObject<{
|
|
2213
|
+
code: _$zod.ZodString;
|
|
2214
|
+
state: _$zod.ZodString;
|
|
2215
|
+
}, _$zod_v4_core0.$strip>;
|
|
2216
|
+
}>>) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<"/session", "GET", {
|
|
1831
2217
|
schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
|
|
1832
|
-
}
|
|
2218
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/session", "GET", _$_aura_stack_router0.EndpointSchemas>>) => Promise<Prettify<Omit<Response, "json"> & {
|
|
2219
|
+
json(): Promise<{
|
|
2220
|
+
success: true;
|
|
2221
|
+
session: Session<{
|
|
2222
|
+
sub: string;
|
|
2223
|
+
name?: string | null | undefined;
|
|
2224
|
+
image?: string | null | undefined;
|
|
2225
|
+
email?: string | null | undefined;
|
|
2226
|
+
}>;
|
|
2227
|
+
}>;
|
|
2228
|
+
}> | Prettify<Omit<Response, "json"> & {
|
|
2229
|
+
json(): Promise<{
|
|
2230
|
+
success: false;
|
|
2231
|
+
session: null;
|
|
2232
|
+
}>;
|
|
2233
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
1833
2234
|
schemas?: {
|
|
1834
2235
|
searchParams: _$zod.ZodObject<{
|
|
1835
|
-
|
|
2236
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
1836
2237
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2238
|
+
token_type_hint: _$zod.ZodLiteral<"session_token">;
|
|
1837
2239
|
}, _$zod_v4_core0.$strip>;
|
|
1838
2240
|
} | undefined;
|
|
1839
|
-
}
|
|
2241
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
2242
|
+
searchParams: _$zod.ZodObject<{
|
|
2243
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2244
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2245
|
+
token_type_hint: _$zod.ZodLiteral<"session_token">;
|
|
2246
|
+
}, _$zod_v4_core0.$strip>;
|
|
2247
|
+
}>>) => Promise<Prettify<Omit<Response, "json"> & {
|
|
2248
|
+
json(): Promise<{
|
|
2249
|
+
success: true;
|
|
2250
|
+
redirect: true;
|
|
2251
|
+
redirectURL: null;
|
|
2252
|
+
} | {
|
|
2253
|
+
success: true;
|
|
2254
|
+
redirect: false;
|
|
2255
|
+
redirectURL: string;
|
|
2256
|
+
} | {
|
|
2257
|
+
success: true;
|
|
2258
|
+
redirect: false;
|
|
2259
|
+
redirectURL: null;
|
|
2260
|
+
}>;
|
|
2261
|
+
}> | Prettify<Omit<Response, "json"> & {
|
|
2262
|
+
json(): Promise<{
|
|
2263
|
+
success: false;
|
|
2264
|
+
redirect: false;
|
|
2265
|
+
redirectURL: null;
|
|
2266
|
+
}>;
|
|
2267
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"/csrfToken", "GET", {
|
|
1840
2268
|
schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
|
|
1841
|
-
}
|
|
2269
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/csrfToken", "GET", _$_aura_stack_router0.EndpointSchemas>>) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
1842
2270
|
schemas?: {
|
|
1843
|
-
body:
|
|
1844
|
-
|
|
1845
|
-
|
|
1846
|
-
|
|
1847
|
-
image: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodString>>>;
|
|
1848
|
-
email: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodEmail>>>;
|
|
1849
|
-
}, _$zod_v4_core0.$strip>> | undefined;
|
|
1850
|
-
expires: _$zod.ZodOptional<_$zod.ZodCoercedDate<unknown>>;
|
|
2271
|
+
body: any;
|
|
2272
|
+
searchParams: _$zod.ZodObject<{
|
|
2273
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2274
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
1851
2275
|
}, _$zod_v4_core0.$strip>;
|
|
1852
2276
|
} | undefined;
|
|
1853
|
-
}
|
|
2277
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
|
|
2278
|
+
body: any;
|
|
2279
|
+
searchParams: _$zod.ZodObject<{
|
|
2280
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2281
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2282
|
+
}, _$zod_v4_core0.$strip>;
|
|
2283
|
+
}>>) => Promise<Prettify<Omit<Response, "json"> & {
|
|
2284
|
+
json(): Promise<{
|
|
2285
|
+
success: true;
|
|
2286
|
+
session: Session<{
|
|
2287
|
+
sub: string;
|
|
2288
|
+
name?: string | null | undefined;
|
|
2289
|
+
image?: string | null | undefined;
|
|
2290
|
+
email?: string | null | undefined;
|
|
2291
|
+
}>;
|
|
2292
|
+
redirect: true;
|
|
2293
|
+
redirectURL: null;
|
|
2294
|
+
} | {
|
|
2295
|
+
success: true;
|
|
2296
|
+
session: Session<{
|
|
2297
|
+
sub: string;
|
|
2298
|
+
name?: string | null | undefined;
|
|
2299
|
+
image?: string | null | undefined;
|
|
2300
|
+
email?: string | null | undefined;
|
|
2301
|
+
}>;
|
|
2302
|
+
redirect: false;
|
|
2303
|
+
redirectURL: string;
|
|
2304
|
+
} | {
|
|
2305
|
+
success: true;
|
|
2306
|
+
session: Session<{
|
|
2307
|
+
sub: string;
|
|
2308
|
+
name?: string | null | undefined;
|
|
2309
|
+
image?: string | null | undefined;
|
|
2310
|
+
email?: string | null | undefined;
|
|
2311
|
+
}>;
|
|
2312
|
+
redirect: false;
|
|
2313
|
+
redirectURL: null;
|
|
2314
|
+
}>;
|
|
2315
|
+
}> | Prettify<Omit<Response, "json"> & {
|
|
2316
|
+
json(): Promise<{
|
|
2317
|
+
success: false;
|
|
2318
|
+
session: null;
|
|
2319
|
+
redirect: false;
|
|
2320
|
+
redirectURL: null;
|
|
2321
|
+
}>;
|
|
2322
|
+
}>>>]>;
|
|
1854
2323
|
jose: any;
|
|
1855
2324
|
api: {
|
|
1856
2325
|
getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<{
|
|
@@ -1898,7 +2367,7 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
|
|
|
1898
2367
|
* }]
|
|
1899
2368
|
* })
|
|
1900
2369
|
*/
|
|
1901
|
-
declare const createAuth: <Identity extends EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<
|
|
2370
|
+
declare const createAuth: <Identity extends Identities = EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<FromShapeToObject<Identity>>;
|
|
1902
2371
|
//#endregion
|
|
1903
2372
|
//#region src/@types/errors.d.ts
|
|
1904
2373
|
/** Map of field or logical keys to API validation error payloads (code + message). */
|
|
@@ -1934,7 +2403,7 @@ type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | Token
|
|
|
1934
2403
|
* Machine-readable codes for internal auth failures (configuration, crypto, environment, etc.).
|
|
1935
2404
|
* Used with {@link AuthInternalError} and logging.
|
|
1936
2405
|
*/
|
|
1937
|
-
type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID" | "CREDENTIALS_PROVIDER_NOT_CONFIGURED" | "IDENTITY_VALIDATION_FAILED";
|
|
2406
|
+
type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID" | "CREDENTIALS_PROVIDER_NOT_CONFIGURED" | "IDENTITY_VALIDATION_FAILED" | "UPDATE_SESSION_INVALID";
|
|
1938
2407
|
/**
|
|
1939
2408
|
* Machine-readable codes for security-sensitive failures (CSRF, session, open redirect, OAuth state).
|
|
1940
2409
|
*/
|
|
@@ -2004,7 +2473,7 @@ interface APIOptionsWithRedirectTo {
|
|
|
2004
2473
|
/**
|
|
2005
2474
|
* Optional redirect strategy for server/programmatic API functions.
|
|
2006
2475
|
*
|
|
2007
|
-
* - `true`:
|
|
2476
|
+
* - `true`: The response includes a `Location` header.
|
|
2008
2477
|
* - `false`: the API returns redirect data (`signInURL` or `redirectURL`) for custom handling.
|
|
2009
2478
|
*
|
|
2010
2479
|
* Defaults are action-specific; see each API option type.
|
|
@@ -2126,16 +2595,32 @@ interface SignInCredentialsOptions extends OptionsWithRedirectTo {
|
|
|
2126
2595
|
*/
|
|
2127
2596
|
payload: CredentialsPayload;
|
|
2128
2597
|
}
|
|
2129
|
-
|
|
2130
|
-
|
|
2131
|
-
redirect:
|
|
2132
|
-
|
|
2598
|
+
type SignInCredentialsReturnData = /** redirect: true & redirectTo: string */{
|
|
2599
|
+
success: true;
|
|
2600
|
+
redirect: true;
|
|
2601
|
+
redirectURL: null;
|
|
2602
|
+
} /** redirect: false & redirectTo: string */ | {
|
|
2133
2603
|
success: true;
|
|
2604
|
+
redirect: false;
|
|
2134
2605
|
redirectURL: string;
|
|
2135
|
-
}
|
|
2606
|
+
}
|
|
2607
|
+
/** redirect: false & redirectTo: null | undefined (not set) */
|
|
2608
|
+
/** redirect: true & redirectTo: null | undefined (not set) */
|
|
2609
|
+
| {
|
|
2610
|
+
success: true;
|
|
2611
|
+
redirect: false;
|
|
2612
|
+
redirectURL: null;
|
|
2613
|
+
} /** Failed credentials */ | {
|
|
2136
2614
|
success: false;
|
|
2615
|
+
redirect: false;
|
|
2137
2616
|
redirectURL: null;
|
|
2138
|
-
}
|
|
2617
|
+
};
|
|
2618
|
+
/** Client-side credentials sign-in return type (redirect mode or manual redirect data). */
|
|
2619
|
+
type SignInCredentialsReturn<Options extends SignInCredentialsOptions> = Options extends {
|
|
2620
|
+
redirect: false;
|
|
2621
|
+
} ? Extract<SignInCredentialsReturnData, {
|
|
2622
|
+
redirect: false;
|
|
2623
|
+
}> : void;
|
|
2139
2624
|
/** Server/programmatic credentials sign-in options. */
|
|
2140
2625
|
interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest {
|
|
2141
2626
|
/**
|
|
@@ -2149,83 +2634,73 @@ interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptio
|
|
|
2149
2634
|
payload: CredentialsPayload;
|
|
2150
2635
|
}
|
|
2151
2636
|
/** Programmatic credentials sign-in result with response metadata and `toResponse()`. */
|
|
2152
|
-
type SignInCredentialsAPIReturn = AuthActionAPIReturn<
|
|
2153
|
-
success: true;
|
|
2154
|
-
redirectURL: string;
|
|
2155
|
-
} | {
|
|
2156
|
-
success: false;
|
|
2157
|
-
redirectURL: null;
|
|
2158
|
-
}>;
|
|
2637
|
+
type SignInCredentialsAPIReturn = AuthActionAPIReturn<SignInCredentialsReturnData>;
|
|
2159
2638
|
/** Client-side sign-out options. */
|
|
2160
2639
|
interface SignOutOptions extends OptionsWithRedirectTo {}
|
|
2161
|
-
|
|
2162
|
-
|
|
2163
|
-
redirect:
|
|
2164
|
-
|
|
2640
|
+
type SignOutReturnData = /** redirect: true & redirectTo: string */{
|
|
2641
|
+
success: true;
|
|
2642
|
+
redirect: true;
|
|
2643
|
+
redirectURL: null;
|
|
2644
|
+
} /** redirect: false & redirectTo: string */ | {
|
|
2165
2645
|
success: true;
|
|
2166
2646
|
redirect: false;
|
|
2167
2647
|
redirectURL: string;
|
|
2168
|
-
}
|
|
2648
|
+
}
|
|
2649
|
+
/** redirect: false & redirectTo: null | undefined (not set) */
|
|
2650
|
+
/** redirect: true & redirectTo: null | undefined (not set) */
|
|
2651
|
+
| {
|
|
2652
|
+
success: true;
|
|
2653
|
+
redirect: false;
|
|
2654
|
+
redirectURL: null;
|
|
2655
|
+
} /** Failed */ | {
|
|
2169
2656
|
success: false;
|
|
2170
2657
|
redirect: false;
|
|
2171
2658
|
redirectURL: null;
|
|
2172
|
-
}
|
|
2659
|
+
};
|
|
2660
|
+
/** Client-side sign-out return type (redirect mode or manual redirect data). */
|
|
2661
|
+
type SignOutReturn<Options extends SignOutOptions> = Options extends {
|
|
2662
|
+
redirect: false;
|
|
2663
|
+
} ? Extract<SignOutReturnData, {
|
|
2664
|
+
redirect: false;
|
|
2665
|
+
}> : void;
|
|
2173
2666
|
/** Server/programmatic options for `signOut` API. */
|
|
2174
|
-
interface SignOutAPIOptions extends
|
|
2175
|
-
/**
|
|
2176
|
-
* Required headers used to execute sign-out.
|
|
2177
|
-
* Must include `session_token` and `csrf_token` cookies for CSRF validation.
|
|
2178
|
-
* @example
|
|
2179
|
-
* {
|
|
2180
|
-
* Cookie: "session_token=abc123; csrf_token=def456"
|
|
2181
|
-
* }
|
|
2182
|
-
*/
|
|
2183
|
-
headers: HeadersInit;
|
|
2184
|
-
/**
|
|
2185
|
-
* Optional `Request` object as an alternative to manually providing `headers`.
|
|
2186
|
-
*/
|
|
2187
|
-
request?: Request;
|
|
2188
|
-
}
|
|
2667
|
+
interface SignOutAPIOptions extends RequiredKeys<APIOptionsWithRequest, "headers">, APIOptionsWithSkipCSRFCheck {}
|
|
2189
2668
|
/** Programmatic sign-out result with redirect metadata and `toResponse()`. */
|
|
2190
|
-
type SignOutAPIReturn = AuthActionAPIReturn<
|
|
2191
|
-
success: true;
|
|
2192
|
-
redirect: boolean;
|
|
2193
|
-
redirectURL: string;
|
|
2194
|
-
} | {
|
|
2195
|
-
success: false;
|
|
2196
|
-
redirect: boolean;
|
|
2197
|
-
redirectURL: null;
|
|
2198
|
-
}>;
|
|
2669
|
+
type SignOutAPIReturn = AuthActionAPIReturn<SignOutReturnData>;
|
|
2199
2670
|
/** Client-side `updateSession` options: partial session payload plus optional redirect behavior. */
|
|
2200
2671
|
interface UpdateSessionOptions<DefaultUser extends User = User> extends OptionsWithRedirectTo {
|
|
2201
2672
|
/** Partial session data to merge into the current session. */
|
|
2202
2673
|
session: DeepPartial<Session<DefaultUser>>;
|
|
2203
2674
|
}
|
|
2204
|
-
/**
|
|
2205
|
-
|
|
2675
|
+
type UpdateSessionReturnData<DefaultUser extends User = User> = /** redirect: true & redirectTo: string */{
|
|
2676
|
+
success: true;
|
|
2677
|
+
session: Session<DefaultUser>;
|
|
2678
|
+
redirect: true;
|
|
2679
|
+
redirectURL: null;
|
|
2680
|
+
} /** redirect: false & redirectTo: string */ | {
|
|
2681
|
+
success: true;
|
|
2682
|
+
session: Session<DefaultUser>;
|
|
2206
2683
|
redirect: false;
|
|
2207
|
-
|
|
2684
|
+
redirectURL: string;
|
|
2685
|
+
} /** redirect: false & redirectTo: null | undefined (not set) */ | {
|
|
2208
2686
|
success: true;
|
|
2209
2687
|
session: Session<DefaultUser>;
|
|
2210
|
-
|
|
2688
|
+
redirect: false;
|
|
2689
|
+
redirectURL: null;
|
|
2690
|
+
} /** Failed session update */ | {
|
|
2211
2691
|
success: false;
|
|
2212
2692
|
session: null;
|
|
2213
|
-
|
|
2693
|
+
redirect: false;
|
|
2694
|
+
redirectURL: null;
|
|
2695
|
+
};
|
|
2696
|
+
/** Client-side `updateSession` return type. */
|
|
2697
|
+
type UpdateSessionReturn<Options extends UpdateSessionOptions<DefaultUser>, DefaultUser extends User = User> = Options extends {
|
|
2698
|
+
redirect: false;
|
|
2699
|
+
} ? Extract<UpdateSessionReturnData<DefaultUser>, {
|
|
2700
|
+
redirect: false;
|
|
2701
|
+
}> : void;
|
|
2214
2702
|
/** Server/programmatic options for `updateSession` API. */
|
|
2215
|
-
interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends APIOptionsWithRequest, APIOptionsWithSkipCSRFCheck {
|
|
2216
|
-
/**
|
|
2217
|
-
* Required headers used to execute session update.
|
|
2218
|
-
* Must include `session_token` and `csrf_token` cookies for CSRF validation.
|
|
2219
|
-
* @example
|
|
2220
|
-
* {
|
|
2221
|
-
* Cookie: "session_token=abc123; csrf_token=def456"
|
|
2222
|
-
* }
|
|
2223
|
-
*/
|
|
2224
|
-
headers: HeadersInit;
|
|
2225
|
-
/**
|
|
2226
|
-
* Optional `Request` object as an alternative to manually providing `headers`.
|
|
2227
|
-
*/
|
|
2228
|
-
request?: Request;
|
|
2703
|
+
interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends RequiredKeys<APIOptionsWithRequest, "headers">, APIOptionsWithSkipCSRFCheck {
|
|
2229
2704
|
/**
|
|
2230
2705
|
* Partial session payload used to update the current session.
|
|
2231
2706
|
* @see Session
|
|
@@ -2240,15 +2715,7 @@ interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends APIOp
|
|
|
2240
2715
|
session: DeepPartial<Session<DefaultUser>>;
|
|
2241
2716
|
}
|
|
2242
2717
|
/** Programmatic session update result with redirect metadata and `toResponse()`. */
|
|
2243
|
-
type UpdateSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<
|
|
2244
|
-
success: true;
|
|
2245
|
-
session: Session<DefaultUser>;
|
|
2246
|
-
redirectURL: string;
|
|
2247
|
-
} | {
|
|
2248
|
-
success: false;
|
|
2249
|
-
session: null;
|
|
2250
|
-
redirectURL: null;
|
|
2251
|
-
}>;
|
|
2718
|
+
type UpdateSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<UpdateSessionReturnData<DefaultUser>>;
|
|
2252
2719
|
//#endregion
|
|
2253
2720
|
//#region src/@types/index.d.ts
|
|
2254
2721
|
/**
|
|
@@ -2272,8 +2739,8 @@ type AuthClient = ReturnType<typeof createAuthInstance>["handlers"];
|
|
|
2272
2739
|
* Options for {@link createAuthClient} (browser HTTP client). Extends the router client with an optional `baseURL`
|
|
2273
2740
|
* when the client runs outside the browser (e.g. server-side fetch to your app origin).
|
|
2274
2741
|
*/
|
|
2275
|
-
type AuthClientOptions = Prettify
|
|
2742
|
+
type AuthClientOptions = Prettify<Omit<ClientOptions, "baseURL"> & {
|
|
2276
2743
|
baseURL?: string;
|
|
2277
2744
|
}>;
|
|
2278
2745
|
//#endregion
|
|
2279
|
-
export {
|
|
2746
|
+
export { FromShapeToObject as $, SpotifyProfile as $n, JWTEncryptionAlgorithm as $t, UpdateSessionOptions as A, Name as An, Logger as At, TokenRevocationError as B, twitch as Bn, OAuthProvider as Bt, SignOutAPIOptions as C, clickUp as Cn, UserShapeArkType as Cr, CredentialsProviderContext as Ct, SignOutReturnData as D, AccountType as Dn, InternalLogger as Dt, SignOutReturn as E, atlassian as En, createIdentity as Er, InternalContext as Et, AuthInternalErrorCode as F, NotionUser as Fn, StandardCookie as Ft, DeepPartial as G, mailchimp as Gn, AsymmetricKeyPair as Gt, ArktypeShapeToObject as H, pinterest as Hn, OAuthProviderCredentials as Ht, AuthSecurityErrorCode as I, Owner as In, SyslogOptions as It, EditableShapeArkType as J, SummaryGear as Jn, CryptoSecret as Jt, DeepRequired as K, StravaProfile as Kn, AsymmetricKeyPairFromEnv as Kt, AuthorizationError as L, Person as Ln, TrustedOrigin as Lt, UpdateSessionReturnData as M, dropbox as Mn, SchemaRegistryContext as Mt, APIErrorMap as N, Bot as Nn, SecureCookie as Nt, UpdateSessionAPIOptions as O, DropboxProfile as On, JoseInstance as Ot, AccessTokenError as P, NotionProfile as Pn, Severity as Pt, EditableUser as Q, SpotifyImage as Qn, JWTEncryptedMode as Qt, ErrorType as R, notion as Rn, TrustedProxyHeadersConfig as Rt, SignInReturn as S, ClickUpProfile as Sn, UserShape as Sr, CredentialsProvider as St, SignOutOptions as T, ExtendedProfile as Tn, UserShapeValibot as Tr, IdentityConfig as Tt, AuthResponse as U, Login as Un, OAuthProviderRecord as Ut, createAuth as V, PinterestProfile as Vn, OAuthProviderConfig as Vt, ConfigSchema as W, MailchimpProfile as Wn, ResponseType as Wt, EditableShapeValibot as X, XProfile as Xn, JWTConfig as Xt, EditableShapeTypebox as Y, strava as Yn, GetStatelessSessionReturn as Yt, EditableShapeZod as Z, x as Zn, JWTConfigBase as Zt, SignInCredentialsAPIReturn as _, createBuiltInOAuthProviders as _n, SchemaTypes as _r, CookieConfig as _t, OAuthEnv as a, JWTSealedMode as an, discord as ar, Prettify as at, SignInCredentialsReturnData as b, DribbbleTeams as bn, UserIdentityTypeBox as br, CookieStrategyAttributes as bt, APIOptionsWithRequest as c, JWTStrategyOptions as cn, BitbucketProfile as cr, TypeboxShapeToObject as ct, GetSessionAPIOptions as d, SessionConfig as dn, github as dr, Wrap as dt, JWTExpirationStrategy as en, spotify as er, InferSession as et, GetSessionAPIReturn as f, SessionStrategy as fn, createSyslogMessage as fr, ZodShapeToObject as ft, SignInCredentialsAPIOptions as g, builtInOAuthProviders as gn, IsZod as gr, AuthRuntimeConfig as gt, SignInAPIReturn as h, BuiltInOAuthProvider as hn, IsValibot as hr, AuthInstance as ht, JWTStandardClaims as i, JWTMode as in, Nameplate as ir, Merge as it, UpdateSessionReturn as j, RootInfo as jn, RouterGlobalContext as jt, UpdateSessionAPIReturn as k, FullTeam as kn, LogLevel as kt, APIOptionsWithSkipCSRFCheck as l, SecretKey as ln, bitbucket as lr, UserFrom as lt, SignInAPIOptions as m, User as mn, IsArkType as mr, AuthConfig as mt, AuthClientOptions as n, JWTKeyAlgorithm as nn, gitlab as nr, InferZodShape as nt, TypedJWTPayload$1 as o, JWTSignedMode as on, FigmaProfile as or, RequiredKeys as ot, OptionsWithRedirectTo as p, StatelessStrategyConfig as pn, Identities as pr, AuthAPI as pt, EditableShape as q, SummaryClub as qn, CreateSessionStrategyOptions as qt, JWTPayloadWithToken as r, JWTManager as rn, DiscordProfile as rr, LiteralUnion as rt, APIOptionsWithRedirectTo as s, JWTSigningAlgorithm as sn, figma as sr, SessionFrom as st, AuthClient as t, JWTKey as tn, GitLabProfile as tr, InferUser as tt, FunctionAPIContext as u, Session as un, GitHubProfile as ur, ValibotShapeToObject as ut, SignInCredentialsOptions as v, DribbbleDefault as vn, UserIdentity as vr, CookieName as vt, SignOutAPIReturn as w, AtlassianProfile as wn, UserShapeTypeBox as wr, HostCookie as wt, SignInOptions as x, dribbble as xn, UserIdentityValibot as xr, CredentialsPayload as xt, SignInCredentialsReturn as y, DribbbleProfile as yn, UserIdentityArkType as yr, CookieStoreConfig as yt, OAuthError as z, TwitchProfile as zn, AuthorizeParams as zt };
|